Managing Key Trustee Server Organizations
Organizations allow you to configure Key Trustee for use in a multi-tenant environment. Using the keytrustee-orgtool utility, you can create organizations and administrators for multiple organizations. Organization administrators can then approve or deny the registration of clients, depending on the registration method.
The keytrustee-orgtool
Utility
keytrustee-orgtool
is a command-line utility for
administering organizations. The keytrustee-orgtool
command must be run as the root user.
The following table explains the various
keytrustee-orgtool
commands and parameters. Run
keytrustee-orgtool --help
to view this information at
the command line.
Operation | Usage | Description |
---|---|---|
Add | keytrustee-orgtool add [-h] –n
name –c
contacts |
Adds a new organization and administrators for the organization. |
List | keytrustee-orgtool list |
Lists current organizations, including the authorization secret, all administrators, the organization creation date, and the organization expiration date. |
Disable client | keytrustee-orgtool disable-client [-h]
-–fingerprint fingerprint |
Disables a client that has already been activated by the organization administrator. |
Enable client | keytrustee-orgtool enable-client [-h] –-fingerprint
fingerprint |
Enables a client that has requested activation but has not yet been approved by the organization administrator. |
Set authorization Code | keytrustee-orgtool set-auth [-h] –n
name –s
secret |
Sets the authorization code to a new string, or to blank to allow automatic approvals without the code. |
Create Organizations
Each new Key Trustee tenant needs its own organization. You can create
new organizations using the keytrustee-orgtool add
command. For example, to create a new organization for the Disaster
Recovery group and add two administrators, Finn and Jake:
keytrustee-orgtool add -n disaster-recov -c finn@example.com,jake@example.com
- Do not use spaces or special characters in the organization name. Use hyphens or underscores instead.
- Do not use spaces between email addresses (when adding multiple administrators to an organization). Use a comma to separate email addresses, without any space (as shown in the example above).
Each contact email address added when creating the organization receives a notification email, as detailed below.
keytrustee-orgtool
add
command to add new administrators to the organization.
For example, to add an administrator to the
disaster-recov
organization:
keytrustee-orgtool add -n disaster-recov -c marceline@example.com
List Organizations
keytrustee-orgtool list
command. This command lists
details for all existing organizations. The following is the entry for
the disaster-recov
organization created in the
example:"disaster-recov": {
"auth_secret": "/qFiICsyYqMLhdTznNY3Nw==",
"contacts": [
"finn@example.com",
"jake@example.com"
],
"creation": "2013-12-02T09:55:21",
"expiration": "9999-12-31T15:59:59",
"key_info": null,
"name": "disaster-recov",
"state": 0,
"uuid": "xY3Z8xCwMuKZMiTYJa0mZOdhMVdxhyCUOc6vSNc9I8X"
}
Change the Authorization Code
keytrustee-orgtool list
command, the code is displayed in the auth_secret
field. To register with a Key Trustee Server, the client must have the
authorization code along with the organization name. To set a new
auth_secret
, run the following
command:keytrustee-orgtool set-auth -n disaster-recov -s ThisISAs3cr3t!
keytrustee-orgtool list
command again, and
confirm the updated auth_secret
field:"disaster-recov": {
"auth_secret": "ThisISAs3cr3t!",
"contacts": [
"finn@example.com",
"jake@example.com"
],
"creation": "2013-12-02T09:55:21",
"expiration": "9999-12-31T15:59:59",
"key_info": null,
"name": "disaster-recov",
"state": 0,
"uuid": "xY3Z8xCwMuKZMiTYJa0mZOdhMVdxhyCUOc6vSNc9I8X"
}
auth_secret
field to an empty
string:keytrustee-orgtool set-auth -n disaster-recov -s ""
Cloudera recommends requiring an authorization code.
Notification Email and GPG Keys
Hello, this is an automated message from your Cloudera keytrustee Server.
Welcome to Cloudera keytrustee! You have been listed as an administrator contact
for keytrustee services at your organization [test-org]. As an administrator,
you may be contacted to authorize the activation of new keytrustee clients.
We recommend that you register a GPG public key for secure administration of
your clients. To do so, visit the link below and follow the instructions.
https://keytrustee01.example.com:11371/?q=CnRV6u0nbm7zB07BQEpXCXsN0QJFBz684uC0lcHMoWL
This link will expire in 12 hours, at Thu Sep 3 00:08:25 2015 UTC.
- Register the GPG public key by following the link contained in the
notification email. Registering the GPG public key is optional, but
if you choose to register your public key:
- Complete the process within 12 hours, before the link expires.
- Upload the entire key, including the BEGIN and END strings, as
shown here:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDkHP3URBACkWGsYh43pkXU9wj/X1G67K8/DSrl85r7dNtHNfLL/ewil10k2 q8saWJn26QZPsDVqdUJMOdHfJ6kQTAt9NzQbgcVrxLYNfgeBsvkHF/POtnYcZRgL tZ6syBBWs8JB4xt5V09iJSGAMPUQE8Jpdn2aRXPApdoDw179LM8Rq6r+gwCg5ZZa . . . -----END PGP PUBLIC KEY BLOCK-----
- Import the Key Trustee Server’s public GPG key to verify that the server is the sender.
The organization's administrators are notified by email when new clients are registered to
the Key Trustee Server using the mail transfer agent (as discussed in Configuring a Mail
Transfer Agent for Key Trustee Server
). However, if the server does not have access to
email, you can use a local system mail address, such as username@hostname
,
where hostname
is the system hostname and username
is a
valid system user. If you use a local system email address, be sure to regularly monitor the
email box.